IP Standard Access List Overview

IP standard access lists include the following characteristics:

• Test condition is based on the source address only.

• Numbered standard access lists are 1 to 99.

• Access list is processed from the top down. As soon as a match is found, the access list stops processing.

• There is an implicit deny of everything at the end of every access list. If no match is found in the access list, it will ultimately match the implicit deny at the end of the list.

• The creation of the access list does nothing until the access list is applied.

• Access lists can be applied either inbound or outbound. An inbound access list checks the packet as it enters the interface before it has been routed. An outbound access list checks as the packet goes out an interface after the packet has been routed.

Use the access-list command to create an entry in a standard traffic filter list:

Router(config)#access-list access-list-number {permit | deny} source-address [source-wildcard]

where

• access-list-number identifies the list to which the entry belongs. For an IP standard access list, use a number from 1 to 99.

• permit I deny indicates what the result will be if the test condition is matched. A permit will allow the test condition either in or out of the interface. A deny will drop the packet and send an ICMP message back to the source.

• source-address identifies the source IP address to match.

• source-wildcard indicates how much of the address to match. A 0 indicates that it must match the corresponding bit in the source address; a 1 indicates that the corresponding bit can be any value.

The access control list can now be applied to the interface for traffic management purposes. To apply the access list to the interface, use the ip access-group access-list-number in I out command.

By default, the access-group command is set for outbound processing. This action means that the packet will be checked after it has been routed and just before the packet exits the interface. You can modify this access list for inbound checking by applying the in keyword at the end of the access-group command. For example, consider the setup in Figure 12-6.

Figure 12-6 Restricting Access with Access Lists

192.168.4.7

Example 12-9 demonstrates how you would configure an access list for the router in Figure 12-6.

Example 12-9 Configuring a Standard IP Access List

Example 12-9 demonstrates how you would configure an access list for the router in Figure 12-6.

Example 12-9 Configuring a Standard IP Access List

access-list 1 permit 192.168.2

5

interface vlan 10

ip address 192.168.4.1 255.255

255.0

access-group 1 out

ip access-group 1 out

In Example 12-9, the access-list 1 is configured, which permits only a specific network to be passed. The access-group command is then used on an interface basis (interface VLAN10) and is used on an outbound basis.

Was this article helpful?

0 0

Post a comment